Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evil Code and how to defend against it CSCI 4300

Published byChristal Tucker Modified over 9 years ago

Similar presentations

Presentation on theme: "Evil Code and how to defend against it CSCI 4300"— Presentation transcript:

1 Evil Code and how to defend against it CSCI 4300 http://shiflett.org/php-security.pdf http://phpsec.org/projects/guide/2.html

2

3 Defense against form input attacks: data filtering

4 Dispatch method

5 Dispatch script example

6 Spoofed form input

7 Whitelist Input Verification

8 Whitelist Email address verification

9 Simple message board

10 Message Board Attack

11 Message Board defense Security tip: use pre-existing PHP functions; they are more efficient and less likely to contain security holes.

12 Cross-Site Request forgeries Victim has authenticated to target site T Evil site E forges a privileged request to T Forged request succeeds by virtue of victim’s authentication tokens.

13 Cross-Site Request Forgery example Target site, stox.com: Evil site, evil-hackers.org

14 CSRF defense: form tokens

15 Database Credentials Place db.inc outside of document root, so it cannot be accessed via a URL!

16 SQL injection attack <?php //get $uname and $passwd... mysql_query (“select * from user where uname=‘$uname’ and password=‘$passwd’”) Evil input: Uname = my_uname Passwd= mypassd’; delete from user where ‘a’=‘a’

Download ppt "Evil Code and how to defend against it CSCI 4300"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google